Legal claims defining the scope of protection, as filed with the USPTO.
1. An apparatus comprising: circuitry configured to provide at least one of writes and/or updates to at least one rule in a data store of a network interface device for interfacing a host computing device with a network, the network interface device comprising a host interface for communicating data packets to and/or from an application of the host computing device and a network interface for communicating the data packets to and/or from the network, wherein each rule of the at least one rule comprises: a characteristic of data packets received from the application for transmission via the network; and a corresponding action to be carried out by the network interface device with respect to one or more data packets received from the application for transmission via the network, in response to the network interface device identifying that the one or more of the data packets match the characteristic; wherein the circuitry is configured to encrypt the at least one of writes and/or updates, wherein the at least one of writes and/or updates are authenticated using a digital signature applied using at least one key accessible to the circuitry, wherein the at least one of writes and/or updates comprises a write and/or update of a corresponding action of a rule of the at least one rule, the corresponding action comprising, in response to one or more values of payload data of at least one data packet meeting at least one criterion defined by the rule, triggering redirecting of the at least one data packet to a control application.
2. An apparatus as claimed in claim 1 , wherein the at least one key is accessible to the network interface device.
3. An apparatus as claimed in claim 1 , wherein communications between the data store and the circuitry are authenticated using a public-private key pair.
4. An apparatus as claimed in claim 1 , wherein the at least one key is stored in at least one of a read only memory and/or a non-volatile random access memory.
5. An apparatus as claimed in claim 1 , wherein the circuitry is configured to receive an indication of a new rule for performing actions with respect to data flows.
6. An apparatus as claimed in claim 1 , further configured to communicate with the network interface device over a network.
7. An apparatus as claimed in claim 1 , wherein the circuitry is an application running on a trusted host accessible to a network or switch.
8. An apparatus as claimed in claim 1 , wherein the circuitry is configured to provide at least one of a write and/or an update to the data store of an action comprising enforcing a maximum rate for a data flow.
9. An apparatus as claimed in claim 1 , wherein the circuitry is configured to provide at least one of a write and/or an update to the data store of an action comprising allowing a data flow received from the network to be sent to the application.
10. An apparatus as claimed in claim 1 , wherein the circuitry is configured to provide at least one of a write and/or an update to the data store of an action comprising blocking a data flow directed to the application.
11. An apparatus as claimed in claim 1 , wherein the circuitry is configured to provide at least one of a write and/or an update to the data store of an action comprising discarding a data packet of a data flow that matches a defined condition.
12. An apparatus as claimed in claim 1 , wherein the circuitry is configured to provide at least one of a write and/or an update to the data store of an action comprising duplicating at least part of a data flow and forwarding said duplicated at least part of the data flow to the circuitry.
13. An apparatus as claimed in claim 1 , wherein the updates comprise a rule indicating that the network interface device is not to accept further updates of the at least one rule of the data store.
14. An apparatus as claimed in claim 1 , wherein the network interface device and the circuitry are configured to carry out a challenge response authentication protocol.
15. An apparatus as claimed in claim 1 , wherein the circuitry is configured to receive commands from a network entity.
16. An apparatus as claimed in claim 1 , wherein the circuitry is configured to update the at least one rule according to traffic flows observed at the network interface device.
17. An apparatus as claimed in claim 1 , wherein the circuitry is an application running on a host of a system comprising the network interface device and the circuitry.
18. A method implemented in an apparatus for maintaining a data store of a network interface device for interfacing a host computing device with a network, the network interface device comprising a host interface for communicating data packets to and/or from an application of the host computing device and a network interface for communicating the data packets to and/or from the network, the method comprising: in response to authenticating the network interface device using a digital signature applied using at least one key accessible to the apparatus, writing and/or updating at least one rule in the data store of the network interface device, wherein writing and/or updating the at least one rule comprises encrypting content to be written and/or updated in the writing and/or updating, wherein each of the at least one rule of the data store of the network interface device comprises: a characteristic of data packets received from the application for transmission via the network; and a corresponding action to be carried out by the network interface device with respect to one or more of the data packets received from the application for transmission via the network, in response to the network interface device identifying that the one or more of the data packets match the characteristic, wherein writing and/or updating the at least one rule comprises writing and/or updating a corresponding action of a rule of the at least one rule, the corresponding action comprising, in response to one or more values of payload data in at least one data packet meeting at least one criterion defined by the rule, triggering redirecting of the at least one data packet.
19. A computer program product, the computer program product being embodied on a non-transient computer-readable medium and configured so as when executed by a device to cause the device to perform a method for maintaining a data store of a network interface device for interfacing a host computing device with a network, the network interface device comprising a host interface for communicating data packets to and/or from an application of the host computing device and a network interface for communicating the data packets to and/or from the network, the method comprising: in response to authenticating the network interface device using a digital signature applied using at least one key accessible to the device, writing and/or updating at least one rule in the data store of the network interface device, wherein writing and/or updating the at least one rule comprises encrypting content to be written and/or updated in the writing and/or updating, wherein each of the at least one rule of the data store of the network interface device comprises: a characteristic of data packets received from the application for transmission via the network; and a corresponding action to be carried out by the network interface device with respect to one or more data packets received from the application for transmission via the network, in response to the network interface device identifying that the one or more of the data packets match the characteristic, wherein writing and/or updating the at least one rule comprises writing and/or updating a corresponding action of a rule of the at least one rule, the corresponding action comprising, in response to one or more values of payload data in at least one data packet meeting at least one criterion defined by the rule, triggering redirecting of the at least one data packet.
20. An apparatus as claimed in claim 1 , wherein each of the writes and/or updates to the at least one rule comprise at least one of: a write and/or an update to at least one of the characteristics of one or more data packets transmitted between a network and an application; or a write and/or an update to at least one of the corresponding actions to be performed by the compliance filter in response to the respective characteristic being identified in one or more data packets.
21. A method implemented in a network interface device for interfacing a host computing device with a network, the network interface device comprising a host interface for communicating data packets to and/or from an application of the host computing device and a network interface for communicating the data packets to and/or from the network, the method comprising: in response to authenticating, using a digital signature applied using at least one key, an entity that is to write to and/or update the data store, receiving encrypted content to be written to and/or updated in the data store, and writing and/or updating at least one rule in the data store of the network interface device based at least in part on the received encrypted content, wherein each of the at least one rule of the data store of the network interface device comprises: a characteristic of data packets received from the application for transmission via the network; and a corresponding action to be carried out by the network interface device with respect to one or more data packets received from the application for transmission via the network, in response to the network interface device identifying that the one or more of the data packets match the characteristic, wherein writing and/or updating the at least one rule comprises writing and/or updating a corresponding action of a rule of the at least one rule, the corresponding action comprising, in response to one or more values of payload data in at least one data packet meeting at least one criterion defined by the rule, triggering redirecting of the at least one packet to a receiver that otherwise would not have received the at least one data packet.
22. At least one non-transitory computer-readable storage medium having encoded thereon executable instructions that, when executed, cause a network interface device to perform a method for maintaining a data store of the network interface device for interfacing a host computing device with a network, the network interface device comprising a host interface for communicating data packets to and/or from an application of the host computing device and a network interface for communicating the data packets to and/or from the network, the method comprising: in response to authenticating, using a digital signature applied using at least one key, an entity that is to write to and/or update the data store, receiving encrypted content to be written to and/or updated in the data store, and writing and/or updating at least one rule in the data store of the network interface device based at least in part on the received encrypted content, wherein each of the at least one rule of the data store of the network interface device comprises: a characteristic of data packets received from the application for transmission via the network; and a corresponding action to be carried out by the network interface device with respect to one or more data packets received from the application for transmission via the network, in response to the network interface device identifying that the one or more of the data packets match the characteristic, wherein writing and/or updating the at least one rule comprises writing and/or updating an action of a rule of the at least one rule, the action comprising, in response to one or more values of payload data in at least one data packet meeting at least one criterion defined by the rule, triggering redirecting of the at least one packet from a destination to which the at least one packet would otherwise have been directed.
23. An apparatus comprising: a network interface device for interfacing a host computing device with a network, the network interface device comprising a host interface for communicating data packets to and/or from an application of the host computing device and a network interface for communicating the data packets to and/or from the network, the network interface device comprising: circuitry configured to carry out acts of: in response to authenticating, using a digital signature applied using at least one key, an entity that is to write to and/or update the data store, receiving encrypted content to be written to and/or updated in the data store, and writing and/or updating at least one rule in the data store of the network interface device based at least in part on the received encrypted content, wherein each of the at least one rule of the data store of the network interface device defines: a characteristic of data packets received from the application for transmission via the network; and a corresponding action to be carried out by the network interface device with respect to one or more data packets received from the application for transmission via the network, in response to the network interface device identifying that the one or more of the data packets match the characteristic, wherein writing and/or updating the at least one rule comprises writing and/or updating a corresponding action of a rule of the at least one rule, the corresponding action comprising, in response to one or more values of payload data in at least one data packet meeting at least one criterion defined by the rule, triggering redirecting of the at least one packet from a destination to which the at least one packet would otherwise have been directed.
24. An apparatus as claimed in claim 1 , wherein: a first rule, of the at least one rule of the data store of the network interface device, comprises a characteristic that includes a threshold condition to be applied to the one or more data packets received from the application for transmission via the network, and a corresponding action that is to be carried out in response to the network interface device identifying that the one or more of the data packets meet the threshold condition, and the writing and/or updating the at least one rule comprises writing and/or updating the threshold condition.
25. An apparatus as claimed in claim 1 , wherein: the circuitry is configured to provide the control application, wherein the circuitry is configured to perform actions of the control application comprising: receiving the redirected at least one data packet; and reviewing the redirected at least one data packet generated by the application to determine whether the redirected at least one data packet is to be permitted onto the network; and causing the redirected at least one data packet to be transmitted via the network in response to determining that the redirected at least one data packet is to be permitted onto the network.
26. The apparatus as claimed in claim 25 , wherein: each data packet of the redirected at least one data packet was, prior to the redirecting, to be sent to a respective destination of the data packet; and causing the redirected at least one data packet to be transmitted via the network comprises causing the redirected at least one data packet to be transmitted via the network to the respective destination of the data packet.
Unknown
May 4, 2021
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.